so just like unify circa 2017?

it was over ssl, but still.

technically correct. google chrome should forever be called "Tainted Chromium" to use the same nomenclature as the Linux Kernel when you load blobs.

your code do not run from that domain at all.

it does if I hack your dns server :)

It seems most if not all google domains are HSTS preloaded so no you can't: https://hstspreload.org/?domain=script.google.com

if we are guessing I would drawn my guess from the hyper controlled access to android play services, which do much more than what you are guessing.

my guess would also include some nifty debug info from FLoC ;)

Hardly the same.

apis are public, documented and the domain allowlist is both included in the UI and about:config (save from android playstore version where they hide everything to make the browser pure garbage for whatever reason)

and I'm pretty sure devs would at least think about adding your domain by default if you ask nicely with a great use case on bugzilla.

What? You think that Mozilla devs would think about adding your domain to the whitelist of domains allowed to install extensions if you just asked nicely? That would be insane from a security perspective.